Terry Greer-King, Cisco’s UK&I director of cybersecurity, tells us about some of the big trends the company has seen in the first half of 2015
Cybercrime is a real and serious issue for all types of businesses today, with attacks increasing in both complexity and frequency daily. Cisco detects and prevents an average of 320 million cyber-attacks each day; a figure which has grown substantially year after year. In today’s hyper-connected, digitised world, the rise of the Internet of Everything (IoE) – the networked connection of people, processes, data and ‘things’ – increases the likelihood of cyberattack as networks are expanding exponentially. As a result, there are essentially two types of companies today; those that have been hacked and those that don’t yet know they have been hacked.
Cisco’s threat intelligence team has investigated the current threat landscape and the ways in which adversaries are creating ever intelligent, resilient and evasive ways to breach systems and avoid detection. As detailed in Cisco’s Midyear Security Report (MSR), here is what we’ve seen in 2015 so far:
Angler attacks on the rise
Leading the exploit market in terms of sophistication and effectiveness, the Angler exploit kit is on the rise. While this technique is not new, it is certainly pervasive and Cisco’s research reveals that 75 percent of subdomain activity since 2014 has been from Angler. Its success in evading detection is owed largely to its innovative use of Flash, Java, Internet Explorer and Silverlight vulnerabilities as well as domain shadowing. This enables authors to create subdomains from legitimate ones without the knowledge of the registrant. Pointing at malicious servers and due to their high volume, sporadic and short-lived nature, these domains are difficult to block by security systems. Cisco’s MSR revealed that 40 percent of users who encounter an Angler exploit kit landing page are compromised, compared to a success rate of only 20 percent for those using a mix of exploits.
Flash is back
Throughout the first half of 2015 we have seen a 62 percent rise in the number of Adobe Flash Player vulnerabilities, rising from 41 percent in 2014. One of the key reasons for this spike is that although Adobe frequently updates its Flash Player, users are struggling to keep on top of patches or are unaware that such updates exist altogether. In order to exploit vulnerabilities in outdated versions, adversaries are innovating rapidly to launch their attacks during this patching gap. As adversaries are integrating such techniques into widely used exploit kits, such as Angler and Nuclear, it is becoming ever more difficult for security teams to keep up.
Sense and Sensibility
Exploit kit authors are becoming increasingly crafty by incorporating texts from 19th century literature into landing pages that host their exploit kits. More specifically, we’ve seen authors using lines from Jane Austen’s classic Sense and Sensibility to conceal malicious content. Adding classic text, or even contemporary excerpts such as magazine articles or blogs, is more effective than the traditional technique of random text as antivirus solutions are more inclined to categorise the webpage as legitimate. Users themselves may be puzzled by such references on a webpage but not necessarily concerned, giving adversaries the chance to launch their attacks.
Ransomware has become an increasingly profitable business
Ransomware is continuingly becoming a lucrative business for cyber criminals operating in an industry worth £1 trillion per year. Thanks to anonymisation networks such as ‘Tor’ or the ‘Invisible Internet Project’, malware authors can launch command-and-control communications when holding users’ data ransom, all while concealing their own server locations and remaining undetected. Targeting all types of users from enterprises to individuals, and all kinds of files such as financial details or family photos, adversaries demand an average payment of $300 and $500 to release users’ encrypted files, according to Cisco research. Although not an exuberant sum, the frequency of such attacks has proven profitable for cybercriminals who are increasingly hiring professional development teams to create new tactics and variants, and view their operations in a business-like manner, by taking into consideration factors such as ‘customer service’ when demanding payment for a ransom.
Security as a process
These threats however, are only a portion of the cybersecurity challenges that organisations face today as the innovation race between adversaries and security vendors and teams is accelerating. Cybersecurity reportedly costs the global economy between $375bn and $575bn annually, and 2015 is proving to be a year of an unprecedented number of innovative and evasive cyberattacks.
Moreover, Cisco estimates that 60 percent of data is stolen within the first few hours of an attack, which suggests that even if businesses are aware that their systems have been breached, the damage has most likely already been done. In light of the current threat landscape, it is critical that businesses remain proactive and the industry’s average of the time taken to detect an attack (TTD) of 100-200 days is, quite simply, not good enough.
Pre-empting and addressing all sources of risk is ever more pertinent with the transformation of the digital economy and the growth in the IoE. Although the IoE offers immense value for industries, businesses and individuals alike, this ever-expanding connectivity is equally, and unfortunately, creating opportunities for hackers too. Cisco estimates that by 2020 there will be more than 50 billion devices connected to the Internet, and as the network extends and its access points proliferate, cybercriminals are increasingly finding loopholes and vulnerabilities to exploit.
Complete visibility over the network is the only way to detect, let alone address, anomalous behaviour, yet worryingly, too many businesses are not fully aware of what devices and applications are on the network. It is therefore critical that organisations consider an integrated threat defense architecture, one which embeds security everywhere; across the entire network and all of its access points.
The most effective way to mitigate all sources of risk and deflect even the most sophisticated of threats is to adopt a holistic approach to security that addresses the entire threat continuum – before, during and after an attack. As opposed to deploying point product solutions on an ‘as when needed’ basis, organisations must treat security as a business process by systemically reviewing potential sources of risk and effectively aligning the right people, processes and technology to mitigate them.
Terry Greer-King is director, cyber security, at Cisco UK&I
Are you a security pro? Try our quiz!